Lightweight Cryptography Mar a Naya-Plasencia Inria, France - - PowerPoint PPT Presentation

Lightweight Cryptography

Mar´ ıa Naya-Plasencia Inria, France Summer School on real-world crypto and privacy ˇ Sibenik, Croatia - June 15 2018

Outline

▶

Symmetric lightweight primitives

▶

Most used cryptanalysis

• Impossible Differential Attacks
• Meet-in-the-middle
• Dedicated attacks

▶

Conclusions and remarks

Symmetric Lightweight Primitives

Lightweight Primitives

▶

Lightweight primitives designed for constrained environments, like RFID tags, sensor networks.

▶

Real need ⇒ an enormous amount of proposals in the last years (block and stream ciphers, hash functions): PRESENT, LED, KATAN/KTANTAN, KLEIN, PRINCE, PRINTcipher, LBLOCK, TWINE, XTEA, mCrypton, Iceberg, HIGHT, Piccolo, SIMON, SPECK, SEA, DESL...

▶

NIST competition to start around december 2018, comments on call close the 28 June! 1/60

Draft: NIST competition

AEAD and hash functions. (Some) requirements:

▶

Efficient for short messages.

▶

Compact HW and embedded SW implementations with low RAM/ROM.

▶

Key preprocessing efficient.

▶

Different strategies: low energy/low power/low latency.

▶

Performant in different microcontroller architectures... Better in constrained environments than existing standards. 2/60

Lightweight Primitives

▶

Any attack better than the generic one is considered a “break”.

▶

Cryptanalysis of lightweight primitives: a fundamental task, responsibility of the community.

▶

Importance

• f

cryptanalysis (especially

• n

new proposals): the more a cipher is analyzed, the more confidence we can have in it...

▶

...or know which algorithms are not secure to use. 3/60

Lightweight Primitives

▶

Lightweight: more ’risky’ design, lower security margin, simpler components.

▶

Often innovative constructions: dedicated attacks

▶

Types of attacks: single-key/related-key, distinguisher/key- recovery, weak-keys,...

▶

Importance of attacks on reduced versions.

▶

High complexities: ugly properties or security margin determined. 4/60

Main Objectives of this talk

▶

Perform a (non-exhaustive) survey of proposals and their security status.

▶

Provide the intuition of the “most useful attacks” against LW ciphers.

▶

Conclusions and remarks (link with hash functions). 5/60

Survey of Proposals 1

▶

Feistel Networks - best external analysis DESLX - none ITUbee - self-similarity (8/20r) LBlock - imposs. diff. (24/32r) SEA - none SIMON and SPECK - imposs. diff., diff, 0-correl. XTEA - mitm (23/64r) CLEFIA - imposs. diff. (13/18r) HIGHT - 0-correlation (27/32r) TWINE - mitm,imposs. diff.,0-corr (25/36r)

1mainly from https://cryptolux.org/index.php/Lightweight Block Ciphers

6/60

Survey of Proposals

▶

Substitution-Permutation Network KLEIN - dedicated attack (full round) LED - EM generic attacks (8/12r, 128K) Zorro - diff. (full round) mCrypton - mitm (9/12r, 128K) PRESENT - mult. dim. lin. (27/31r) PRINTcipher - invariant-wk (full round) PRIDE - diff (18/20r) PRINCE - mult. diff (10/12r) Fantomas/Robin -none/invariant-wk (full round) 7/60

Survey of Proposals

▶

FSR-based KTANTAN/KATAN - mitm (153/254r) Grain - correl./ cube attacks (some full) Trivium - cube attacks (800/1152) - Sprout - guess-and-determine (full round) Quark -condit. diff (25%) Fruit - divide and conquer (full) Lizard - guess-and-det. (full) 8/60

Survey of Proposals

▶

ARX Chaskey - diff-lin (7/8r) Hight - 0-correl (27/32r) LEA - diff. (14/24r) RC5 - diff. (full round) Salsa20 - diff (8/20r) Sparx - imposs. diff. (15/24r) Speck - diff. (17/32r) 9/60

More Proposals

For more details, primitives, classifications, see: State of the Art in Lightweight Symmetric Cryptography, by Alex Biryukov and Leo Perrin https://eprint.iacr.org/2017/511 10/60

Most Successful Attacks

Families of attacks

▶

Impossible differentials (Feistel)

▶

Mitm / guess and determine (SPN, FSR)

▶

Dedicated: (differential/linear...) 11/60

Impossible Differential Attacks

Classical Differential Attacks [BS’90]

Given an input difference between two plaintexts, some

• utput differences occur more often than others.

X′ X′′ Y ′ Y ′′ ∆X ∆Y EK EK

A differential is a pair (∆X, ∆Y ). 12/60

Differential path: example

• 1

1 1 2 2

• 13/60

Truncated Differential Attacks [K 94]

A truncated path predicts only parts of the differences. Let’s see a simple example: 14/60

Truncated path: example

X X

• X

X X

• X

X X

• X

X

• X

? ?

• X

X

• 15/60

Truncated path: example

X X

• X

X X

• X

X X

• X

X

• X
• X

X

• 16/60

Impossible Differential Attacks [K,BBS’98]

▶

Impossible differential attacks use a differential with probability 0.

▶

We can find the impossible differential using the Miss-in-the-middle [BBS’98] technique.

▶

Extend it backward and forward ⇒ Active Sboxes transitions give information on the involved key bits.

▶

Generic framework and improvements [BNPS14,BLNPS17] 17/60

Example: LBlock

Designed by Wu and Zhang, (ACNS 2011).

▶

80-bit key and 64-bit state.

▶

32 rounds.

<<< 8

F

ki

18/60

Example: LBlock

Inside the function F:

▶

add the subkey to the input.

▶

8 different Sboxes 4 × 4.

▶

a nibble permutation P: Best attack so far: Imp. Diff.

• n

23 rounds [CFMS’14,BMNPS’14] and RK on 24 rounds [SHS’15]. 19/60

Impossible differential: 14 rounds

<<< 8

F

k5

F

k6

F

k7

F

k8 <<< 8 <<< 8 <<< 8

F

k9 <<< 8 <<< 8

F

k10

F

k11

F

k12 <<< 8 <<< 8

F

k13 <<< 8 <<< 8

F

k14

F

k15

F

k16

F

k17 <<< 8 <<< 8 <<< 8

F

k18 <<< 8

Impossible Differential Attack

∆X ∆Y ∆in ∆out rin rout r∆ (cin, kin) (cout, kout)

21/60

Discarding Wrong Keys

▶

Given one pair of inputs with ∆in that produces ∆out,

▶

all the (partial) keys that produce ∆X from ∆in and ∆Y from ∆out differ from the correct one.

▶

If we consider N pairs verifying (∆in, ∆out) the probability of NOT discarding a candidat key is (1 − 2−cin−cout)N 22/60

For the Attacks to Work

We need, for a state size s and a key size |K|: Cdata < 2s and Cdata + 2|kin∪kout|CN + 2|K|−|kin∪kout|P2|kin∪kout| < 2|K|

where Cdata is the data needed for obtaining N pairs (∆in, ∆out), CN is the average cost of testing the pairs per candidate key (early abort technique [LKKD08]) and P is the probability of not discarding a candidate key.

23/60

First Rounds

<<< 8 <<< 8 <<< 8 <<< 8 K1 K2 K3 K4 L4 L5 L3 L2 L1 R1 R2 R3 R4 R5 1 cond. 1 cond. 2 cond. 3 cond.

24/60

Last Rounds

<<< 8 <<< 8 <<< 8 <<< 8 K19 K20 L19 R19 3 cond. 2 cond. 1 cond. 1 cond. L20 R20 K21 K22 L21 R21 L22 R22 L23 R23

25/60

Impossible Differential on LBlock

▶

For 21 rounds a complexity of 269.5 in time with 263 data, for 22: 271.53 time and 260 data, for 23: 275.36 time and 259 data.

▶

Feistel constructions in general are good targets 26/60

Improvements [BN-PS14,BLN-PS17,B18]

▶

Multiple impossible differentials (related to [JN-PP13])

▶

Correctly choosing ∆in and ∆out (related to [MRST09])

▶

State-test technique (related to [MRST09])

▶

More accurate estimate of the pairs [B18] 27/60

Example: CLEFIA-128

• block size: 4 × 32 = 128 bits
• key size: 128 bits
• # of rounds: 18

• ✶

• ✶

28/60

Multiple Impossible Differentials

Formalize the idea of [Tsunoo et al. 08]: CLEFIA has two 9-round impossible differentials ((0, 0, 0, A) ̸→ (0, 0, 0, B)) and ((0, A, 0, 0) ̸→ (0, B, 0, 0)) when A and B verify: A B (0, 0, 0, α) (0, 0, β, 0) or (0, β, 0, 0) or (β, 0, 0, 0) (0, 0, α, 0) (0, 0, 0, β) or (0, β, 0, 0) or (β, 0, 0, 0) (0, α, 0, 0) (0, 0, 0, β) or (0, 0, β, 0) or (β, 0, 0, 0) (α, 0, 0, 0) (0, 0, 0, β) or (0, 0, β, 0) or (0, β, 0, 0) 24 in total: Cdata = 2113 becomes Cdata = 2113/24 29/60

State Test Technique

Reduce the number of key bits involved.

B = ■ ⊕ S0(■ ⊕ ■) ⊕ ■

30/60

State Test Technique

Reduce the number of key bits involved.

B′ = ■ ⊕ S0(■ ⊕ ■) (with B = B′ ⊕ ■) |kin ∪ kout| = 122 bits ⇒ |kin ∪ kout| = 122−16 + 8

• B′

bits

30/60

Applications of Improved Impossible Diff

▶

CLEFIA: best attack on CLEFIA (13 rounds).

▶

Camellia: Improved best attacks for Camellia.

▶

AES: attacks comparable with best mitm ones (7 rounds).

▶

LBlock: best attack (on 24 rounds). 31/60

Meet-in-the-middle attacks

Meet-in-the-Middle Attacks

▶

Introduced by Diffie and Hellman in 1977.

▶

Largely applied tool.

▶

Few data needed.

▶

Many improvements: partial matching, bicliques, sieve- in-the-middle... 32/60

Meet-in-the-Middle Attacks [Diffie Hellman 77]

E

K

P l a i n t e x t C i p h e r t e x t M F B s

K

1

K

2

K = K

1

U K

2

2

| K

1

|

+ 2

| K

2

|

+ 2

| K |

• s

33/60

With Partial Matching [AS’08]

E

K

P l a i n t e x t C i p h e r t e x t M F B s '

K

1

K

2

K = K

1

U K

2

2

| K

1

|

+ 2

| K

2

|

+ 2

| K |

• s

’

34/60

With Bicliques [KRS’11]

X C i p h e r t e x t B F

E

K

P l a i n t e x t

K = K

1

U K

2

2

| k

1

|

+ 2

| k

2

|

+ 2

| K

1

|

+ 2

| K

2

|

+ 2

| K |

• s

’

K

2

k

2

k

1

s ’

K

1

35/60

Bicliques

▶

Improvement of MITM attacks, but also...

▶

It can always be applied to reduce the total number

• f computations (at least the precomputed part)

⇒ acceleration of exhaustive search [BKR’11] 2

▶

Many other accelerated exhaustive search on LW block ciphers: PRESENT, LED, KLEIN, HIGHT, Piccolo, TWINE, LBlock ... (less than 2 bits of gain).

▶

Is everything broken? No.

2Most important application: best key-recovery on AES-128 in 2126.1 instead of

the naive 2128.

36/60

Bicliques

X C X

j

C

2

| k

1

|

• 1

X

2

| k

2

|

• 1

C

i

K K + k

2 j

K + k

1 i

• X

j

C

i

K + k

1 i

+ k

2 j

• 2

| k

1

|

+ 2

| k

2

|

• 2

| k

1

+ k

2

|

• 37/60

Improved Bicliques [CN-PV 13]

Can we build bicliques with only one pair of P-C? 38/60

Sieve-in-the-Middle [CN-PV’13]

▶

Compute partial inputs and outputs of S ⇒ sieving with transitions instead of collisions.

K

1

K

2

E

K

C i p h e r t e x t B

K = K

1

U K

2

X C S

k

1

k

2

P l a i n t e x t F

39/60

When can we sieve?

S n

i n

n

• u

t

▶

nin known bits out of m: at most 2m−nin values for the nout output bits.

▶

A transition exists with probability p.

▶

Sieve when nin + nout > m ⇒ p < 1 40/60

How do we sieve?

▶

We obtain a list LA of partial inputs u and a list LB

• f partial outputs v ⇒ merge LA and LB with the

condition (u, v) is a valid transition though S.

▶

Naive way costs |LA| × |LB| = 2|K1|+|K2|: no gain with respect to exhaustive search.

▶

We need an efficient procedure. Often S is a concatenation of S-boxes. 41/60

Merging the lists

Merging the lists with respect to R

▶

R is group-wise, i.e. for z groups R(u, v) = Πz

i=1Ri(ui, vi)

Find all u ∈ LA and v ∈ LB such that R(u, v) = 1.

▶

Subcase of the first problem in [N-P 11]. First studied for rebound attacks. 42/60

Group-wise relation

u v 1. . . z 1. . . z . . . R

1

( u

1 p

, v

1 q

) = 1 u

p

u

p

, v

q

| L

A|

| L

B

|

v

q

R

z

( u

z p

, v

z q

) = 1

s

• l

43/60

Merging Algorithms

▶

Problem also appears in divide-and-conquer attacks (and rebound attacks).

▶

Solutions from list merging algorithms [N-P-11] and dissection algorithms [DDKS 12]

▶

Many applications: ARMADILLO2 [ABN-PVZ 11], ECHO256 [JN-PS 11], JH42 [N-PTV 11], Grøstl [JN-PP 12], Klein [LN-P 14], AES-like [JN-PP 14], Sprout [LN-P 15], Ketje [FN-PR 18]... 44/60

Some Applications SITM

▶

Reduced-round: PRESENT, DES, PRINCE, AES-biclique [Canteaut N-P Vayssieres 13]

▶

Reduced-round LBlock [Altawy Youssef 14]

▶

Best reduced-round KATAN [Fuhr Minaud 14]

▶

Reduced-round Simon [Song et al 14]

▶

Low-data AES [Bogdanov et.al 15] [Tao et al 15]

▶

MIBS80/PRESENT80 [Faghihi et al 16]

▶

Interesting for low data attacks... 45/60

PRESENT [BKLPPRSV’07]

▶

One of the most popular ciphers, proposed in 2007, and now ISO/IEC standard.

▶

Very large number of analysis published (20+).

▶

Best attacks so far: multiple linear attacks (27r/31r). 46/60

PRESENT

Block n = 64 bits, key 80 or 128 bits.

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕

S15 S14 S13 S12 S11 S10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕

31 rounds + 1 key addition. 47/60

Forward Computation

Backward Computation

Sieving through the Sboxes: 1 Sbox

x3x2x1x0 S(x)3S(x)2S(x)1S(x)0 0000 1100 0001 0101 0010 0110 0011 1011 0100 1001 0101 0000 0110 1010 0111 1101 1000 0011 1001 1110 1010 1111 1011 1000 1100 0100 1101 0111 1110 0001 1111 0010 x2x1x0→Sy1y0 000→00 000→11 001→01 001→10 010→10 010→11 011→00 011→11 100→00 100→01 101→00 101→11 110→01 110→10 111→01 111→10 16 values of x2, x1, x0, y1, y0, out of 32, correspond to a valid transition.

Sieving through the Sboxes

▶

Probability for 1 Sbox p = 16/32 = 1/2

▶

Probability for the 6 Sboxes:

1 26

▶

We only try 280−6 = 274 potential key candidates.

▶

7 rounds (+1 bicliques).

Importance of Dedicated Cryptanalysis

Lightweight Dedicated Analysis

▶

Few cases broken by well known attacks (ex. Puffin or Puffin2 - multiple differentials)

▶

Happily, this is rare. Most of the times, new families

• r new ideas on known attacks exploiting the new

properties are needed.

▶

Lightweight: more ’risky’ design, lower security margin, simpler components.

▶

Often innovative constructions: dedicated attacks 48/60

Ex: PRESENT and PRINTcipher

PRESENT [BKLPPRSV’07]

▶

One of the most popular ciphers, proposed in 2007, and now ISO/IEC standard.

▶

Very large number of analysis published (20+).

▶

Best attacks so far: multiple linear attacks (27r/31r). 49/60

PRESENT

Block n = 64 bits, key 80 or 128 bits.

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕

S15 S14 S13 S12 S11 S10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕

31 rounds + 1 key addition. 50/60

PRESENT

Linear cyptanalysis: because

• f

the Sbox, a linear approximation 1 to 1 with bias 2−3 per round [O-09].

▶

Multiple linear attacks: consider several possible approxs simultaneously ⇒ up to 27 rounds out of 31 [BN-14]. 51/60

PRINTcipher

▶

Many PRESENT-like ciphers proposed, like Puffin, PRINTcipher

▶

Usually, weaker than the original.

▶

PRINTcipher[KLPR’10]: first cryptanalysis: invariant subspace attack[LAAZ’11]. 52/60

PRINTcipher

48 rounds. 53/60

The Invariant Subspace Attack [LAAZ’11]

With probability 1:

• ▶

Weak key attack, but a very bad property for 251 keys... 54/60

The Invariant Subspace Attack

▶

More applications afterwards: iScream, Robin, Zorro, Midori.

▶

Importance of generalizing/understanding dedicated attacks: new families/techniques might appear. 55/60

Final remarks

Zorro - Hash Functions links

▶

Lightweight block cipher proposed [GGN-PS13] for easy masking.

▶

A modified AES with only four sboxes per round (SPN with partial non-linear layer).

▶

Bounds on number of active Sboxes? Computed using freedom degrees.

▶

Many analyses published. Problem: MC property ⇒ devastating attack [BDDLT13, RASA13] 56/60

LED - Hash Functions links

▶

Lightweight block cipher proposed in [GPPR12].

▶

AES-like with simpler key-schedule and more rounds. Nice simple design.

▶

Analysis provided with respect to known key distinguishers (rebound-like). Seems like a lot of SHA-3 knowledge put into this design. 57/60

Hash functions links - Sum up

▶

Mitm, bicliques/initial structures: used for both scenarios

▶

Early abort ← message modification techniques

▶

State-test tech. & choosing ∆in,out ← Rebound attacks

▶

Mult. impos. diff. ← mult. limited birthday distinguishers

▶

Using freedom degrees for bounds?... be careful!!

▶

Merging lists from rebounds/sieve in the middle → many applications

▶

Other ex: AES distinguishers inspired on rebound attacks. 58/60

Conclusion

To Sum Up

▶

Classical attacks, but also new dedicated

• nes

exploiting the originality of the designs.

▶

Importance

• n

generalizing: improvements, and dedicated might become well stablished techniques.

▶

Importance

• f

reduced-round analysis to re-think security margin, or as first steps of further analysis.

▶

New ideas inspired by SHA-3: might help improving attacks further!

▶

Better identifying composite problems/ list merging situations might provide improved results. 59/60

To Sum Up3

A lot of ciphers to analyze/ a lot

• f work to do!

3Thank you to Christina Boura and Leo Perrin for their help with the figures and

the slides.

60/60